In today’s technology driven world, protecting personal data has become the need of the hour for individuals as well as organizations ranging from settled MNCs to up and coming start-ups. Due to major data breach incidents in India in the recent years including the Angle One incident (2024), Big Basket incident (2020) etc., the need for protecting personal information through a specialized legislation was felt by the Indian Government which is why the Digital Personal Data Protection Act was passed by the Parliament in 2023 (the enforcement is awaited) placing different obligations and restrictions on organizations regarding collection, storage, processing of personal data, etc. However, these new obligations matched with the existing requirements under the Information Technology Act, 2000 and other general laws present a unique challenge for startups. This article discusses the latest obligations that is put on companies when it comes to data breach. Let’s look into it.
Key Obligations for Startups for Data Breach Reporting
As mentioned above, there are several legislations apart from the DPDP Act that puts requirements on companies. There are rules that govern reporting of cybersecurity breaches which may include personal data. These are discussed below:
1. DPDP Act, 2023: Under the legislation, the data fiduciaries must ensure that they have in place, robust technical measures in order to protect the collected data from any form of unauthorized access or loss. In case there is a breach of data, the data fiduciaries are obligated to report the data breach to the Data Protection Board of India and the affected individuals under section 8 of the Act.
The DPDP Act defines personal data breach as “any unauthorised processing of personal data or accidental disclosure, acquisition, sharing, use, alteration, destruction or loss of access to personal data, that compromises the confidentiality, integrity or availability of personal data” Therefore, Data Fiduciaries are required to report all types of personal data breaches, regardless of the sensitivity of the breach or its impact on the Data Principal.
2. CERT-In Rules: The Information Technology (the Indian Computer Emergency Response Team and Manner of Performing Functions and Duties) Rules, 2013 (“CERT-In Rules”) along with the Cyber Security Directionsimpose mandatory reporting requirements on companies upon the occurrence of certain cybersecurity incidents which may result in unauthorized access, denial or disruption of service, unauthorized use of a computer resource for processing or storage of information, changes to data or information without authorization.
Types of Incidents to be reported: Annexure I appended to the Cyber Security Directions provide the types of incidents that should be reported to CERT-In. This is a comprehensive list of 20 subjects which includes things such as data breach, data leak, unauthorized access of IT data, identity theft, malicious mobile apps etc.
It is pertinent to note that these directions place a time-sensitive obligation to report such incidents as mentioned in Annexure-I within 6 hours of noticing such incidents.
3. Global Data Protection Regulation: The GDPR is the flagship data protection framework operating in the EU region. Startups who are operating or wish to operate in EU will have to process EU citizen which is why they must comply with strict requirements like obtaining explicit consent, conducting data protection impact assessments, appointing a Data Protection Officer (DPO), and promptly reporting data breaches.
Apart from the abovementioned legislations, startups may also have to adhere to country specific regulations depending on the territories that they want to operate in. USA, New Zealand, Australia, etc. are major jurisdictions where different data privacy laws exist.
Challenges for Startups in Data Breach Reporting
With a stringent procedure of law established at both national and international level, the newly emerging world of startups face several hurdles in meeting their statutory reporting responsibilities due to various reasons such as:
1. Lack of Expertise: As startups operate at a small scale with limited teams and limited resources, it becomes challenging to avail the help of designated experts to deal with data protection and cybersecurity. This leads to delay in detecting, preventing and responding to any breaches in a timely manner leading to leading to legal implications.
2. Customer Trust: Due to the limited scope of market with small-scale businesses, building a reputation amongst the users is a crucial aspect for startups. In case of any breaches, the disclosure of the same to the public and to the officials might lead to a reputational damage for them causing damage to their profitability and growth.
3. Outsourced Process: Due to limited capacity, startups often outsource their data protection processes to third-party vendors and allow such third parties to handle sensitive information collected from the data principals. In case of a breach, detecting the source of that breach becomes a time-consuming process leading to a delay in adhering to the prescribed norms and timelines under the law.
4. Changing Regulations: The ever-changing landscape of data privacy laws present challenges for startups as they require constant monitoring of changes at all levels, agility in adapting policies and practices, and investment in legal compliance. These efforts can strain budgets but are essential to avoid legal risks, fines, and reputational damage.
Strategies to Ensure Compliance
1. Constant Training: Startups need to spend money training their staff on existing and upcoming data privacy laws. Employees who receive ongoing training can ensure fulfilment of obligations and effective compliance.
2. Effective Monitoring: Startups must undertake a periodical assessment of the data practices which may include information about collection, storage, processing methods, and access points.
3. Data Minimization: Since startups operate at a limited budget, they should only collect the information required for their main operations. Companies should implement stringent data retention standards and grant only authorized personnel access to this data.
4. Data Breach Response Plan: Every startup should have a set system of guidelines which are to be followed in response to a data breach. These guidelines must be in conformity to the existing requirements under data privacy statutes.
Conclusion
With the DPDP Act is yet to be enforced, the compliance for the emerging startups has increased. Even though the legislation addresses one of the most debated topics of the modern world, it pushes startups operating with limited resources in a vulnerable position. In order to tackle the same, startups should follow the guidelines discussed in this article to prevent any form of cybersecurity breaches and ensure transparency while handling any form of personal data of the data principals. Proactive compliance, coupled with an integrated approach to data protection will be key to successfully managing data breaches and mitigating their impact.